GOV.UK
Compliance visit tests: Checking compliance under the Risk Based Approach: General Introduction
The Regulations present a challenge when it comes to evaluating compliance because they do not specify the procedures or records that must be used for risk-assessment and management, internal control, monitoring and management of compliance, or internal communication. The requirement is that these systems must be “appropriate and risk-sensitive”.
The risk-based approach is designed to allow businesses to determine how they can most effectively manage the risks that exist in their business and to establish procedures that best suit their organisation. HMRC must recognise that businesses will do things differently and we can accept that as long as they are able to demonstrate that they have identified risk appropriately and used reasonable judgement in the circumstances to mitigate it.
In order to decide whether the systems in place are adequate, HMRC must take into account the size, structure and activities of each business. For example, HMRC cannot expect or insist upon extensive policy or risk analysis documentation at small businesses with few staff and/ or limited product or customer types.